Hacking

If there was one major takeaway I got from the sessions and my conversations at Black Hat, it's that we're pretty much hosed. I've always said that if someone wants to get into your network, they can. But to see it right there in front of you and seemingly so easy is quite an experience. Yeah, I've seen those dualing hacker courses - but for some reason this felt different. It felt real. It was a reminder of the dangers lurking out there in the wild.

I only got a chance to attend three of the sessions, so I tried to split them between understanding the threats and cleaning up the mess with forensics.

I went to a session by Thomas Ptacek and Dave Goldsmith of Matasano about the risks of systems management products. Basically the point here is management "agents" are basically bots (or zombies). This is trusted code that can pretty do whatever it wants on the managed devices. Thomas and Dave explained 6 or 7 different ways to break these systems, which would provide access to 1000's of devices in a target network. Bet you didn't think of that, eh?

But it underscores the need to pick software carefully. Though they broke into pretty much everything they tested, there were differences in security model and capabilities. Users are still justifiably focused on capabilities for their management applications, but I bet that sooner rather than later - having a verifiably secure agent starts to become a point of differentiation.

I also saw two forensics sessions, since I don't know much about that discipline and it's becoming pretty important. If only to know what kind of data you need to gather and store from the security perspective and understanding the process the investigators go through.

I saw Chuck Willis and Rohyt Belani of Mandiant do a good session about web application forensics and use a couple of real case studies to make their points. There is nothing like real life situations to illuminate the points they were making. I also saw Johnny Long do kind of an intro to Forensics, which was interesting. As Johnny pointed out, computer forensics folks don't typically get the blood trails that their CSI counterparts to, but following the evidence is key to success.

I also had a number of conversations about the virtualization topic and suffice it to say, it's non-trivial. I'm still familiarizing myself with the nuances of hypervisors and device drivers and the like. The only thing I know for sure is that it will change how we think about security, which is a good thing.

Finally it's also clear to me that we need to start some discussions about how to blow up the status quo of security. If there was one thing that was abundantly clear is that fixing holes is not the answer. The people presenting their research can break networks and applications in MINUTES. We've got to start from a blank slate and really rethink the problem space.

Stay tuned on this. The discussion will be starting soon. But don't call me, I'll call you. The last thing I need is a hundred vendors telling my why their product breaks the status quo of security. That would be so un-Black Hat, after all.

Home stretch baby. Here is Day 4 of the DR Top 10 IT Security Myths posts. The link to the main article is here.

Myth #7 - Hackers are a Necessary Evil (link here)

Just because an attacker can break through security doesn't mean he or she can actually secure it.

Clearly hacking and protecting are different skills. If you spend your time protecting systems and assets, understanding how a hacker thinks is a critical skill. But I guess to me the term "hacker" is kind of arbitrary. Most "hackers" nowadays don't try to break into networks, they let the networks (or the people that is) come to them. Phishing, pharming and other new fangled social engineering attacks are the new wave of crime, not "hacking."

Now there are some ethical issues to overcome. If someone spent time as a black hat, many organizations won't work with them on principle. I think they are right. I guess there's that whole forgiveness thing, for those that have repented, but if I am looking at two similarly capable folks - one with a clean background and another...not so much - I'm taking the clean person every day of the week. That minimizes risk, and that's what we do for a living, no?

But again, I think this is a poorly written and communicated myth-buster, so it gets a D.

Myth #8 - Antivirus Software is 100% Effective (link here)

AV tools are effective as a means of stopping known bugs, but attackers now routinely design new exploits to bypass them, experts observe.

Does anyone still believe that anything is 100% effective at anything? If so, smack them with a 2x4 HARD. There is no silver bullet and nothing is effective all the time. Nothing. But AV is still important. Why? Because it's all about the old adage, "if you don't remember history, you are bound to repeat it." AV signatures represent the history of malware. If we see the same thing again and we know it's bad, shame on us if we can't stop it.

But there are things that kind of just appear. Zero-day has become a horrifically overused moniker, but the reality is that it takes time to generate the signatures. And in that time, some heuristics-based or anomaly-based detection technique to get an idea that something is bad will help. It's all about layers. Gateway AV is one. Desktop AV is another. Other malware defense mechanisms provide additional layers. So, don't count on anything.

This one is pretty close, so it gets a B+

We'll wrap this puppy up tomorrow and take it over the finish line. Till then...

Returning for Day 3 of my series picking apart Dark Reading's Top 10 Security myths, let's do #5 and #6. The link to the main article is here.

Myth #5 - Employees Always Trustworthy (link here)

Our experts agree that any security strategy which doesn’t include the end user is doomed to failure.

I've been harping on the need for end user awareness training for as long as I've been doing Incite, so I'm totally on board with this one. Actually I think the title of the myth is a bit misleading, they do mention the insider threat as kind of an after-thought, but most of the piece focuses on training and ensuring the policies and defenses factor in the human element. That means people will do stupid things, even if they are not stupid people.

Thus far, this is the best myth-buster of them all. Correct perspective and written clearly. This one gets an A.

Myth #6 - Bad Guys are Winning (link here)

Behind every successful exploit is usually an improperly configured, maintained, or patched computer, or a clueless user (think lame passwords or clicking on suspicious links or emails). There's plenty of security technology out there, but if you don't deploy it properly, you're asking for it.

Because we are making it easy for them doesn't mean the bad guys aren't winning. Got that? So yes, I totally agree that the most secure firewall in the world isn't worth crap if you don't have the rules configured properly, and that's where many of the incidents originiate. They are correct in saying there is plenty of technology to solve the problems, but that doesn't mean we are using it correctly.

That being said, the bad guys are certainly not losing because there seem to be more of them everyday. I'm a firm believer in market economies and hacking is a booming market. Why? Because these folks are making money. Pure and simple. Whether it's consumer stupidity, configuration ignorance, or bad guy innovation - attacks are working enough of the time to generate a return. So in that matter, the bad guys certainly are winning.

But to me, macro generalizations like that aren't worth much. All that matters is whether they are beating YOU. If your environment is secure and you can prove it to management and the auditors, then YOU are winning. The rest of the world be damned. Too bad for them if they aren't in the same spot.

This one gets a C. Interesting thoughts, but to say that configuring everything correctly will make the problem go away is wrong.